Skip to content

Commit

Permalink
feat: Add internalJWTMap used for inter service communication authent…
Browse files Browse the repository at this point in the history 
…ication (#109)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@KyleGoyette @github-actions
KyleGoyette and github-actions[bot] authored Dec 4, 2024
1 parent 5952fcc commit 5bf0177
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ resources that lack official modules.
| <a name="input_enable_database_vault_key"></a> [enable\_database\_vault\_key](#input\_enable\_database\_vault\_key) | Flag to enable managed key encryption for the database. Once enabled, cannot be disabled. | `bool` | `false` | no |
| <a name="input_enable_storage_vault_key"></a> [enable\_storage\_vault\_key](#input\_enable\_storage\_vault\_key) | Flag to enable managed key encryption for the storage account. | `bool` | `false` | no |
| <a name="input_external_bucket"></a> [external\_bucket](#input\_external\_bucket) | config an external bucket | `any` | `null` | no |
| <a name="input_kubernetes_cluster_oidc_issuer_url"></a> [kubernetes\_cluster\_oidc\_issuer\_url](#input\_kubernetes\_cluster\_oidc\_issuer\_url) | OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration` | `string` | `""` | no |
| <a name="input_kubernetes_instance_type"></a> [kubernetes\_instance\_type](#input\_kubernetes\_instance\_type) | Instance type for primary node group. Defaults to null and value from deployment-size.tf is used | `string` | `null` | no |
| <a name="input_kubernetes_max_node_per_az"></a> [kubernetes\_max\_node\_per\_az](#input\_kubernetes\_max\_node\_per\_az) | Maximum number of nodes for the AKS cluster. Defaults to null and value from deployment-size.tf is used | `number` | `null` | no |
| <a name="input_kubernetes_min_node_per_az"></a> [kubernetes\_min\_node\_per\_az](#input\_kubernetes\_min\_node\_per\_az) | Minimum number of nodes for the AKS cluster. Defaults to null and value from deployment-size.tf is used | `number` | `null` | no |
Expand Down
7 changes: 7 additions & 0 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,7 @@ locals {
accessKey = var.storage_key
}
bucket_config = var.external_bucket != null ? var.external_bucket : (local.use_customer_bucket ? local.default_bucket_config : null)
weave_trace_service_account_name = "wandb-weave-trace"
}

module "wandb" {
Expand Down Expand Up @@ -339,6 +340,12 @@ module "wandb" {
annotations = { "azure.workload.identity/client-id" = module.identity.identity.client_id }
labels = { "azure.workload.identity/use" = "true" }
}
internalJWTMap = [
{
subject = "system:serviceaccount:default:${local.weave_trace_service_account_name}",
issuer = var.kubernetes_cluster_oidc_issuer_url
}
]
}

ingress = {
Expand Down
9 changes: 9 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -337,3 +337,12 @@ variable "clickhouse_region" {
description = "ClickHouse region (eastus2, westus3, etc)."
default = ""
}

###########################################
# Internal Service #
###########################################
variable "kubernetes_cluster_oidc_issuer_url" {
type = string
description = "OIDC issuer URL for the Kubernetes cluster. Can be determined using `kubectl get --raw /.well-known/openid-configuration`"
default = ""
}

0 comments on commit 5bf0177

Please sign in to comment.